JPH10134157A - Cryptographic authentication processing method and apparatus using computer card - Google Patents

Abstract

(57) [Summary] PROBLEM TO BE SOLVED: To ensure that only a legitimate user can use a plurality of cryptosystems and that a plurality of application systems simultaneously function without secret information in a cryptographic device leaked to a third party. The present invention provides a cryptographic authentication processing method and apparatus using a computer card capable of performing the authentication. SOLUTION: A user inquires of an encryption system management unit 19 about an encryption system, sets a use mode in a communication control unit 11, starts communication, transmits a user ID to an access control unit 12, and transmits a user ID to the access control unit 12. Gives the user the right to access the secret information only when it matches the user ID stored in the secret information storage unit 23. The user accesses the public information and the secret information according to the given access right, and generates the key. Perform processing and encryption authentication processing.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic authentication processing method and apparatus using a computer card which can be applied to data encryption and authentication in a computer system or a communication system.

[0002]

2. Description of the Related Art In recent years, methods for dealing with the threat of eavesdropping, falsification, and spoofing of information in information communication over an open network have been studied. Conventionally, in a method of protecting information communicated over a network or information stored in an information terminal device, a method of performing an encryption authentication process in an information terminal device or a method of performing an encryption authentication process in an external device such as a computer card Methods are known.

In these encryption methods, as shown in FIG. 12, a user first uses a user ID for using an encryption device.
Is predetermined and stores a key generated in the cryptographic device by a key generation command of the user. User is User I
By inputting D, the use permission of the key is obtained, and the key is acquired by the key acquisition instruction. Next, it is effective to issue a command to encrypt the plaintext data with the obtained key, accumulate the encrypted data in the information terminal device, or start communication processing.

[0004]

In the above-described conventional encryption method, when an encryption key, which is secret information, is stored in an encryption device (information terminal device and computer card), the encryption key is usually stored after being encrypted with a secret key or the like. However, when the encryption process is actually performed, the obtained encryption key is decrypted and expanded on the main memory, so that there is a risk of eavesdropping, especially when the key is stored in the information terminal device. Could be stolen or erased.

Further, since the user ID for the user to perform the encryption processing is fixed in advance, there is a high risk that the user ID is leaked. In addition, there is no way to cope with the case where the user forgets the user ID, which places a burden on the computer issuer, such as reissuing the computer card. In addition, in the conventional encryption method using a computer card, only one encryption method can function, and it is not possible to simultaneously function from a plurality of application systems.

[0006] The present invention has been made in view of the above,
The purpose is to ensure that only the legitimate user can use a plurality of encryption schemes without leaking the secret information in the encryption device to a third party, and that it can be simultaneously operated by a plurality of application systems. An object of the present invention is to provide an encryption authentication processing method and apparatus using a computer card.

[0007]

In order to achieve the above object, according to the present invention, information accumulated by a user or information delivered to a user is encrypted with a secret encryption key in a computer card. The gist of the present invention is to use it in a computer card or an external device connected to the computer card.

According to the present invention, a user stores or distributes information encrypted by a public key of a common key cryptosystem or a public key cryptosystem to a secret in a computer card. The gist is that the data is decrypted with a decryption key and used in the computer card or an external device connected to the computer card.

Further, according to the present invention, a predetermined user ID stored in the computer card and a character string newly inputted by the user are sent to the computer card, and the predetermined user ID and The gist is to confirm that the sent user IDs match, and to set the newly input character string as the user ID in the computer card.

[0010] According to the present invention, when the user forgets the user ID stored in the computer card,
The gist is that the computer card is accessed with a special right and a new user ID is stored.

According to a fifth aspect of the present invention, the user starts communication with the computer card, the computer card confirms the user, and the information in the computer card permitted according to the authority of the user. The gist of the present invention is to use an encryption authentication function with an encryption method specified by a user without using secret information or a cryptographic method to leak secret information out of a computer card.

Further, the present invention according to claim 6 provides the present invention according to claim 5.
In the described invention, the process of starting communication with the computer card by the user is based on whether the user can share the communication with another application program, whether the user can read from and write on the computer card, and the encryption in the computer card. The gist is to specify whether functions can be executed in parallel and start communication.

According to a seventh aspect of the present invention, in the invention of the fifth aspect, the process of confirming the user by the computer card is performed by a user ID which is predetermined or set by the user as needed.
Is stored in the computer card, and it is checked whether or not the character string input by the user matches the encrypted one, or the encrypted user ID stored in the computer card is decrypted. The gist is to check whether or not the converted character string matches the character string input by the user.

The present invention according to claim 8 provides the present invention according to claim 5.
In the invention described in the above, the processing in which the computer card confirms the user is performed by encrypting or storing the user ID that is predetermined or set by the user as needed in the computer card. Adds to the random number generated in the above or sends it to the user by taking an exclusive OR, and subtracts the character string entered by the user from the information sent from the computer card or exclusive OR The gist is to return the value obtained to the computer card and check whether the random number generated in the computer card matches the returned value.

Further, the present invention according to claim 9 provides the present invention according to claim 5.
In the described invention, the process of using the information and the encryption method in the computer card according to the authority of the user checks whether or not the user is an administrator with the computer card, and in the case of the administrator, discloses the information in the computer card The gist is to give access to information, and otherwise give access to public and confidential information in the computer card.

According to a tenth aspect of the present invention, in the invention according to the fifth aspect, the processing for preventing the user from leaking the confidential information to the outside of the computer card does not require the confidential information to be notified to the outside of the computer card as it is, The gist is to notify the user of the identifier added to the information.

According to the eleventh aspect of the present invention, in the invention according to the fifth aspect, the process of using the cryptographic authentication function by the encryption method designated by the user is performed by a plurality of functions that the user functions in the computer card. The gist of the present invention is to obtain a list of encryption methods and select an encryption method to be used.

Further, according to the present invention, a communication control unit for controlling communication between a user and a computer card, an access control unit for controlling which information in the computer card the user can access, A control unit that controls tasks in the computer card and performs task management for executing the encryption / authentication processing in parallel; an encryption / decryption processing unit that performs encryption / decryption processing; and a signature / authentication processing unit that performs signature / authentication processing. A hash processing unit for compressing plaintext data for signature, a key pair generation unit for generating a public key and a secret key, a random number generation unit for generating random numbers for encryption key generation and user authentication, and a computer card An encryption method management unit that manages a plurality of encryption methods that function on the computer card, an encryption method storage unit that stores the encryption methods that function on the computer card, and a public key that stores data that can be referenced from outside the computer card. And summarized in that has a data storage unit, and a secret information storage unit that only the authorized user to store available reference data.

According to the twelfth aspect of the present invention, the user inquires of the encryption system management unit about the encryption system functioning in the computer card, and asks the communication control unit for the function of the computer card in a plurality of application systems. Communication is started by setting a use mode such as whether or not sharing is possible, and a user ID is transmitted to the access control unit, and the access control unit matches the user ID stored in the secret information storage unit. Only in the case where the access right of the secret information is given to the user, the user accesses the public information and the secret information according to the given access right, and performs the key generation process and the encryption authentication process without leaking the secret information out of the computer card. Do. Also, the user ID stored in the computer card can be changed at any time, and the user ID can be reset by accessing the computer card with special authority.

[0020]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing the configuration of a computer card which is an encryption authentication processing device that performs an encryption authentication processing method according to an embodiment of the present invention. The computer card shown in FIG. 1 includes a communication control unit 11 for controlling communication between a user and the computer card, an access control unit 12 for managing a user's access right to information in the computer card, and encryption / decryption in the computer card. , A control unit 13 for performing task management for executing functions such as password and signature / authentication in parallel, an encryption / decryption processing unit 14 for actually performing encryption / decryption processing using an encryption method designated by the user, A signature / authentication processing unit 15 that performs signature / authentication processing using an encryption method designated by the user, a hash processing unit 16 that compresses original plaintext data when generating signature data, and a public key and a secret key. A key pair generating unit 17 for generating a random number; a random number generating unit 18 for generating a random number for generating a cryptographic key and user authentication; and a cryptographic system managing unit 19 for managing a plurality of cryptographic systems functioning on a computer card.
And an encryption method storage unit 21 storing an encryption method functioning on the computer card, a public information storage unit 22 storing data that can be referred to from outside the computer card, and only a valid user authenticated by the computer card And a storage unit 20 including a secret information storage unit 23 for storing data that can be referred to.

FIG. 2 is a flowchart showing a procedure for performing encryption and authentication using the computer card shown in FIG. The encryption and authentication procedure shown in the figure notifies the user of the encryption method that functions in the computer card (step S3).
1), communication with the user is started (step S32), and the user of the computer card is authenticated (step S33),
The plaintext data specified by the user is encrypted (step S3
4) The signature data is generated from the plaintext data specified by the user (step S35).

FIG. 3 is a flowchart showing a procedure for setting a user ID on the computer card shown in FIG. In the user ID setting procedure shown in the figure, the user ID is initialized (step S41), and the user ID is changed (step S42).

FIG. 4 is a diagram showing the encryption system acquisition process shown in step S31 of FIG. In the figure, when the user inquires of the computer card which encryption method can be used, the encryption method management unit 19 of the computer card
Searches the encryption method storage unit 21 to obtain a usable encryption method (step S311), and notifies the user of the obtained encryption method identifier in a list format (step S312).

FIG. 5 is a diagram showing the communication mode setting processing shown in step S32 of FIG. In the figure, when starting communication with a computer card, the user checks whether or not the communication can be shared with another application system (step S321). Whether it is used is set in the communication control unit 11 and managed (step S322). Then, it is checked whether the data in the computer card is readable only (R / O) or readable and writable (R / W) (step S323). If only reading is possible, only reading is permitted to the storage unit 20 (step S32).
4) If it is readable and writable, read and write is permitted to the storage unit 20 and the information is transmitted to the access control unit 1.
It is set to 2 (step S325). Also, it is checked whether the encryption / decryption and signature / authentication processing functioning in the computer card can be executed in parallel (step S326). If possible, the control unit 13 performs task management, and enables encryption processing to be executed in parallel (step S327). After the designation of the user is set in the communication control unit 11, the access control unit 12, and the control unit 13 as described above, the communication identifier (session identifier) is notified to the user.

FIG. 6 is a diagram showing task management of the communication control unit 11 and the control unit 13. In the process of FIG. 5, when it is specified that the communication between the user and the computer card is shared with another application system, the communication control unit 11 monitors the communication (communication session 1) of the application system currently using the computer card. Then, when there is an interrupt using the computer card from the application system 2, the communication 1 is interrupted, and the communication (communication session 2) of the application system 2 is started. When a certain period of time elapses or when the processing of the application system 2 ends, the communication 2 ends, and the communication 1 restarts.

In the process of FIG. 5, when the user uses the computer card and specifies that the processes are to be executed in parallel, the control unit 13 starts the cryptographic process within the currently connected communication session and waits for a certain period of time. , The encryption process is interrupted and the signature process is started. Then, when a certain period of time has passed or the signature processing has been completed, the previous encryption processing is restarted.

FIG. 7 shows a pre-process S33 in FIG.
It is a figure which shows the procedure of. Random number generator 1 in computer card
8 generates a random number R (step S331), and stores the random number R in the user ID stored in the user secret information storage unit 23.
(Or exclusive OR) is communicated to the user (step S332). User is his / her ID
Is input, and R ′ obtained by subtracting the input character string from Rp (or taking an exclusive OR) is notified to the computer card.
The computer card compares the previously generated random number R with R ′ notified by the user, and if they are equal, authenticates the user as valid (step S333). As another method of user authentication, a predetermined user ID is encrypted and stored in a computer card, and whether or not the character string input by the user matches the encrypted character string is determined. A method of checking whether the encrypted user ID stored in the card matches the decrypted user ID can be applied.

FIG. 8 is a diagram showing the process S34 in FIG. When the user requests the computer card to generate an encryption key, the computer card generates an encryption key using the random number generation unit 18 (step S341), and assigns and stores an identifier in the user's secret information storage unit 23. At the same time, the user is notified of only the assigned encryption key ID (KeID) (step S342). Next, the user selects one of the plurality of encryption methods acquired in the processing S31 in FIG.
(KeID) and the plaintext data are notified to the computer card, and an encryption process is requested. In the computer card, the encryption / decryption processing unit 14 specifies the specified encryption method in the encryption method storage unit 21, specifies the encryption key from the specified encryption key ID (KeID), and converts the specified plaintext data. The data is encrypted (step S343). Notifying the user with the encrypted data and the encryption key ID (KeID) used for the encryption,
It can be stored in the user's secret information storage unit 23 in the computer card (step S344).

When decrypting, the user notifies the computer card of the encrypted data and the encryption key ID (KeID) used for the encryption, and the encryption / decryption processing unit 14 in the computer card decrypts the data.

FIG. 9 is a diagram showing a procedure of the processing S35 of FIG. When the user requests the computer card to generate a public key / private key, the computer card generates a key pair in the key pair generation unit 17 (step S351). The public key is sent to the public key information storage unit 22, and the secret key is sent to the computer key. At the same time as assigning and storing an identifier in the user's secret information storage unit 23, the user is notified only of the assigned secret key ID (KsID) (step S).
352). Next, the user selects one of the plurality of encryption methods acquired in the processing of FIG. 2, notifies the secret key ID (KsID) and the plaintext data to the computer card, and requests the computer card for signature processing. In the computer card, the hash processing unit 16 compresses the specified plaintext data (step S353), and the signature / authentication processing unit 15 stores the specified encryption method in the encryption method storage unit 2.
1 and identifies the secret key from the designated secret key ID (KsID), and encrypts the previously compressed data (step S354). The user is notified of the encrypted data as signature data (step S355).

In the case of authentication, a user obtains a public key ID (KpID) from a computer card, notifies the computer card together with the encryption method, signature data, and original data of the signature, and requests authentication. In the computer card, the hash processing unit 16 compresses the original data of the signature. Next, the signature / authentication processing unit 15 specifies the specified encryption method in the encryption method storage unit 21, specifies the public key from the specified public key ID (KpID), and decrypts the specified signature data. . If the previously compressed data and the decrypted data match, the original data of the signature and its user are valid.

FIG. 10 is a diagram showing the initialization process of the user ID of FIG. After the privileged user is authenticated by the privileged user ID in the user authentication process with the process S33 in FIG. 2, that is, the same authentication process as the user authentication process shown in FIG. 7 (step S411), the initial value of the user ID is set. To the computer card, and the computer card temporarily stores the user ID in the public information storage unit 22 and sets it (step S412).

FIG. 11 is a diagram showing the procedure of the process S42 in FIG. The user notifies the computer card of the new user ID and the old user ID previously set by himself or the initial value set by the privileged user, and requests a change. The computer card first checks whether or not there is a user ID previously set by the user in the user's secret information storage unit 23 (step S42).
1) If there is, it is determined whether the user ID matches the specified old user ID (step S42).
2). If there is no previously set user ID in the user secret information storage unit 23, does the initial value of the user ID stored in the public information storage unit 22 match the initial value of the specified old user ID? It is determined whether or not it is (step S423).
If either of the above-mentioned judgments is passed, the designated new user ID is stored in the user secret information storage unit 23 (step S424).

[0035]

As described above, according to the present invention,
A computer card can be shared by a plurality of application systems, encryption / decryption processing and signature / authentication processing functioning on the computer card can be performed in parallel, and secrets such as keys used for encryption and signatures can be used. Since the information is not disclosed to the user, secure encryption and signature processing can be performed.
Even when D is forgotten, a new user ID can be set, and secure cryptographic authentication processing can be executed without leaking secret information such as a key out of the computer card.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of a computer card that is an encryption authentication processing device that performs an encryption authentication processing method according to an embodiment of the present invention.

FIG. 2 is a flowchart showing a procedure for performing encryption and authentication using the computer card shown in FIG.

FIG. 3 is a flowchart showing a procedure for setting a user ID on a computer card.

FIG. 4 is a diagram showing an encryption method acquisition process shown in step S31 of FIG. 2;

FIG. 5 is a diagram showing a communication mode setting process shown in step S32 of FIG. 2;

FIG. 6 is a diagram showing a communication control unit used in the computer card shown in FIG. 1 and task management of the control unit.

FIG. 7 is a diagram showing a user authentication process shown in step S33 of FIG. 2;

FIG. 8 is a diagram showing the encryption processing shown in step S34 of FIG.

FIG. 9 is a diagram showing the signature processing shown in step S35 of FIG. 2;

FIG. 10 is a diagram showing a user ID initialization process shown in step S41 of FIG. 2;

FIG. 11 is a diagram showing a user ID change process shown in step S42 of FIG. 2;

FIG. 12 is a diagram showing a conventional encryption processing procedure.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 11 Communication control part 12 Access control part 13 Control part 14 Encryption / decryption processing part 15 Signature / authentication processing part 16 Hash processing part 17 Key pair generation part 18 Random number generation part 19 Encryption method management part 21 Encryption method storage part 22 Public information storage Unit 23 Secret information storage unit

 ────────────────────────────────────────────────── ─── Continuing on the front page (72) Inventor Yoshiyoshi Yamanaka 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo Japan Telegraph and Telephone Corporation

Claims (12)

[Claims] 1. A method in which information accumulated by a user or information delivered to a user is encrypted with a secret encryption key in a computer card and used by an external device connected to the computer card or the computer card. A cryptographic authentication processing method using a computer card as a feature. 2. The user is stored or delivered to the user,
It is characterized in that information encrypted with a public key of a common key cryptosystem or a public key cryptosystem is decrypted with a secret decryption key in a computer card, and is used in the computer card or an external device connected to the computer card. An encryption authentication processing method using a computer card. 3. A predetermined user ID stored in the computer card and a character string newly input by the user are sent to the computer card, and the predetermined user ID matches the transmitted user ID. And confirming that the character string is newly input, and setting the newly input character string as a user ID in the computer card. 4. A computer characterized in that when a user forgets a user ID stored in a computer card, the computer card is accessed with a special right and a new user ID is stored. An encryption authentication processing method using a card. 5. A user starts communication with the computer card, the computer card confirms the user, and uses information or an encryption method in the computer card permitted according to the authority of the user, and uses secret information. A cryptographic authentication processing method using a computer card, wherein the cryptographic authentication function is used with an encryption method designated by a user without leaking out of the computer card. 6. A process in which a user starts communication with a computer card includes determining whether the user can share the communication with another application program, whether the user can read from and write to the computer card,
6. The encryption authentication processing method using a computer card according to claim 5, wherein the communication is started by designating whether the encryption functions in the computer card can be executed in parallel. 7. The process in which the computer card confirms the user is performed by a user ID that is predetermined or set at any time by the user.
Is stored in the computer card, and it is checked whether or not the character string input by the user matches the encrypted one, or the encrypted user ID stored in the computer card is decrypted. 6. The encryption authentication processing method using a computer card according to claim 5, wherein it is checked whether or not the converted character string matches a character string input by the user. 8. The process in which the computer card confirms the user is performed by a user ID that is predetermined or set at any time by the user.
Is stored in the computer card in an encrypted form or stored as it is, and the user ID is added to the random number generated in the computer card or exclusive-ORed, and transmitted to the user, and transmitted from the computer card. Returns the value obtained by subtracting the character string entered by the user from the received information or the value obtained by performing an exclusive OR operation on the computer card, and checks whether the random number generated in the computer card matches the returned value. 6. The encryption authentication processing method using a computer card according to claim 5, wherein: 9. A process for using information or an encryption method in a computer card according to a user's authority is performed by confirming whether or not the user is an administrator with a computer card. 6. An encryption authentication processing method using a computer card according to claim 5, wherein an access right to the information is given, and otherwise, an access right to the public and secret information in the computer card is given. 10. A process in which a user does not leak confidential information out of a computer card is characterized in that the user is notified of an identifier assigned to the confidential information instead of notifying the confidential information to the outside of the computer card as it is. An encryption authentication processing method using a computer card according to claim 5. 11. The process of using an encryption authentication function with an encryption method designated by a user is characterized in that a user can obtain a list of a plurality of encryption methods that function in a computer card and select an encryption method desired to be used. An encryption authentication processing method using a computer card according to claim 5. 12. A communication control unit for controlling communication between a user and a computer card, an access control unit for controlling which information in the computer card the user can access, control of processing in the computer card and encryption authentication. A control unit that performs task management for executing processes in parallel, an encryption / decryption processing unit that performs encryption / decryption processing, a signature / authentication processing unit that performs signature / authentication processing, and compresses plaintext data for signature Manages a hash processing unit, a key pair generation unit that generates a public key and a secret key, a random number generation unit that generates a random number for encryption key generation and user authentication, and manages multiple encryption methods that function on a computer card An encryption method management unit, an encryption method storage unit that stores encryption methods that function on a computer card, a public information storage unit that stores data that can be referenced from outside the computer card, A cryptographic authentication processing device using a computer card, comprising: a secret information storage unit for storing data which can be referred to only by a computer card.